Dear Experts,

What is the requirement for a vpn access for a new office with just internet?

Any feedback will be helpful.

In view of the pandemic, 300-500 staff are to work from home
using VPN.

I'll need an assessment if GPO update (push down to those
remote PCs that are company-owned PCs) should be disabled
or enforced  so need assessments from experts here.

a) if we don't push down the latest policies, NAC requirements
    like AV signatures & patches may not be up-to-date & this
    work-from-home arrangement can last 1-2 months (subject
    to how long the health authority retain the alert level)

b) however, if we enforce &  critical PCs are blocked from
    accessing due to outdated signatures/patches, it will be a
    service disruption to those critical users.  Or if it's blocked,
    feasible for the support guys to exempt those PCs to
    enable them to temporarily connect (to get AV updates
    from our internal AV server) & WSUS?

c) is the GPO update going to consume a lot of bandwidth?
    we have 50Mbps dedicated for VPN users

d) for some reason (I don't know why), we permit split
    tunnelling on our VPN  though the PCs'  browsers are
    locked (greyed out & users can't change) to go thru
    our company proxy so they can't browse public Internet
    using IE/Chrome/FFox but an ultra-secure browser (that
    disallows upload/downloads): only for trusted sites like
    our Intranet, zoom.us (for remote conferencing) & O365
    URLs, we whitelist in the GPO (ie the 'exclusion' URLs/
    IP section in IE/Chrome) & proxy to enable IE/Chrome to
   …

We a couple of users that each time they login to the VPN, their AD accounts get locked out after they login. (server 2012 R2)
So there able to login but their AD do lockout after that.
If we reset their accounts after a few minutes their AD account locks out again.
They are using Cisco VPN.
Anyone have any idea on why it keeps locking out their AD account when logging into the VPN?
If they don't login to the vpn, their AD does not ever lock.

We have been using the VPN that is built into Windows. Our server is Windows Server 2016 and our workstations are Windows 10 Pro.  Most of us are remote, so we VPN to connect and work.  Some users are having issues where the VPN keeps dropping and not related to internet, the internet service is fine, just the VPN will randomly disconnect.  Would it be better to use a VPN router and if so, which one and do we just need one at the data center where the server is, or does every remote person need a matching VPN router?

I have a meraki MS225 attached to a Cisco 2900 router configured for NAT. I can see the Meraki has a private IP and I can ping it locally and over VPN. I see NAT translations from it. But it fails to register to Meraki cloud. Any thoughts?

I also notice that sho cdp nei is failing to show it. But I can see the arp entries.

I need help to establish a VPN connection from my home Linux box (Debian 10) to office's SonicWall TZ300 using strongswan ipsec.
Here is my config files:/etc/ipsec.conf

conn GroupVPN
        auto=add
        left=%any
        leftid=@GroupVPN
        leftsourceip=%config4
        leftsubnet=192.168.1.2/32
        leftfirewall=yes

        right=<SW_IPaddress>
        rightid=@<UniqueFirewallIdentifier>
        rightsubnet=10.0.0.0/24

        keyexchange=ikev1
        keyingtries=0
# aggressive=yes disabled by default when auth by PSK. It's enabled by setting
# charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes in strongswan.conf
# see https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode
        aggressive=yes
# see https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites
        ike=3des-sha1-modp1536!
        esp=3des-sha1-modp1536!
        authby=xauthpsk
        xauth_identity=<MyUserName>
        ikelifetime=8h

#include /var/lib/strongswan/ipsec.conf.inc

Select all Open in new window

/etc/ipsec.secret

#include /var/lib/strongswan/ipsec.secrets.inc

@GroupVPN @<UniqueFirewallIdentifier> : PSK <SharedSecret>
<MyUserName> : XAUTH "<MyUserPassword>"

Select all Open in new window

# ipsec statusall
Status of IKE charon daemon (weakSwan 5.7.2, Linux 4.19.75+, armv6l):
  uptime: 2 seconds, since Jan 28 19:02:33 2020
  malloc: sbrk 811008, mmap 0, used 468032, free 342976
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
  192.168.1.2
Connections:
    GroupVPN:  %any...<SW_IPaddress>  IKEv1 Aggressive
    GroupVPN:   local:  [GroupVPN] uses pre-shared key authentication
    GroupVPN:   local:  [GroupVPN] uses XAuth authentication: any with XAuth identity '<MyUserName>'
    GroupVPN:   remote: [<UniqueFirewallIdentifier>] uses pre-shared key authentication
    GroupVPN:   child:  192.168.1.2/32 === 10.0.0.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
  none

Select all Open in new window

From SonicWall log (most recent at the top):

Select all Open in new window

…

Which model of Meraki SD WAN (MX I think) device best suits the data center in a dual-hub and spoke toplogy? The MX84 I believe would work find in the remote office. Thank you.

Is there a way to lock down the certificate issued from the ASA to a specific host?   I love the ease of a VPN client, but an worried that the certificate can be copied and put on other systems.


Fox

I have a TS-215 running firmware 4.4.1.1146.  I am trying to setup a VPN connection to the device following this article:

https://www.qnap.com/en/how-to/tutorial/article/how-to-set-up-and-use-qvpn-2-0/

I have the firewall port setup for the VPN connection and correct internal IP of the QNAS.  I have the QBELT server enabled, User privilege assigned,  and setup the connection profile.  I then downloaded the installer/config file and installed to a Windows 10 system.  When I go to connect, I can watch the process of dialing, then see it try to authenticate.  At that point I get an error "Unabel to create a VPN connection" I went back through the setup steps again, and do not see where I have missed anything.

Has anyone setup a VPN to a QNAS?  Is there something I have overlooked?

I have a group of outsourced workers that work for me from India.  We are wanting them to be able to send PDF documents directly to a printer in our office in the US, but.... do not want to have them connecting to our office via a VPN or anything like that.

With that being said, I am wondering if it is possible to have them email the PDF to an email address that uses Outlook 2016 and setup a script or something that would run every 30 seconds or so looking for all new emails and automatically printing any attachments, then marking the email as read and moving to another folder?

If so, can I get assistance with the code/script or any software that would do this?  In pretty bad need as this was just added to my plate and they want it ready by Monday.
Any assistance is appreciated.  Operating System is Windows 10 Pro, 64 Bit

Hi,

I m thinking of setting up a permanent vpn for my Synology router (mr 2200 ac and/or Synology nas ds918+).

The idea is that this adds extra protection, maybe also speed (I know in general speed hoes down but maybe by using compression techniques?) and anonymity (add blocking/spyware blocking offered by vpn providers, also tracking my Internet usage by companies will be harder).

Also, that way I could put my home network wherever I want in the world.
Disadvantage might be that I get search results for that country I set my vpn to.
Advantage: I could switch Netflix to another country :-)

Note: have already Pihole and safe browsing enabled (Synology router).

I do would need split tunneling then since I d need to be able to vpn to my synologies vpn server. Also I guess I better take a vpn connection to a nearby country for low latency.

For the vpn I d take a lifetime subscription on f.e. fastestvpn or vpn unlimited.

Lots of open questions. Anyways, appreciate your input!
J

We are using Cisco AnyConnect to connect remote users to ASA's. We have Regions with remote offices in each Region. Remote Offices at each Region connect via Site to Site VPN's. Remote Users connect to Region ASA's via AnyConnect.

For Example, Remote User1 uses Cisco AnyConnect to Access Region Site 1 through an ASA. This works and works well.

Remote User1 can access Region Site 1, and our ASA allows User1 to Access Region Site 1 and Region Site 2. This works and works well.

Remote User1 cannot access another Remote Office ASA through it's Region

Our problem is when Remote User1 connects to Region Site 1 ASA and tries to access another Remote Office. So we are trying to go from Remote User to Region ASA to a Remote Office that is connecting to the Region ASA via Site to Site VPN tunnels.

Couple of Questions:

1. Is this do-able?
2. We have been getting IP Spoof errors on ASA
3. We have created rules to allow the traffic
4. We have created a NAT exception

So ideally, we would like Remote User1 to connect to the Region ASA and be able to connect to another Remote Office ASA. We would like the Remote User1 to be re-ip'd with the Remote Office ASA ip scheme.

Am I making sense or am I crazy?